centos 7 - firewalld

What is a zone?

A network zone defines the level of trust for network connections. This is a one to many relation, which means that a connection can only be part of one zone, but a zone can be used for many network connections.

Predefined services

A service is a combination of port and/or protocol entries. Optionally netfilter helper modules can be added and also a IPv4 and IPv6 destination address.

Ports and protocols

Definition of tcp or udp ports, where ports can be a single port or a port range.

ICMP blocks

Selected Internet Control Message Protocol (ICMP) messages. These messages are either information requests or created as a reply to information requests or in error conditions.

Masquerading

The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation.

Forward ports

A port is either mapped to another port and/or to another host.

Which zones are available?

These are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted:

drop

Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

block

Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.

public

For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

external

For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

dmz

For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.

work

For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

home

For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

internal

For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

trusted

All network connections are accepted.

[1]	To use Firewalld, start it.

[root@dlp ~]#  systemctl start firewalld  [root@dlp ~]#  systemctl enable firewalld

[2]	By default, "public" zone is applied with a NIC and dhcpv6-client and ssh are allowed. When operating with "firewall-cmd" command, if you input the command without "--zone=***" specification, then, configuration is set to the default zone.

# display the default zone [root@dlp ~]#  firewall-cmd --get-default-zone  public # display current settings [root@dlp ~]#  firewall-cmd --list-all  public (default, active) interfaces: eno16777736 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: # display all zones defined by default [root@dlp ~]#  firewall-cmd --list-all-zones  block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: ..... ..... # display allowed services on a specific zone [root@dlp ~]#  firewall-cmd --list-service --zone=external  ssh # change default zone [root@dlp ~]#  firewall-cmd --set-default-zone=external  success # change zone for an interface (*note) [root@dlp ~]#  firewall-cmd --change-interface=eth1 --zone=external  success [root@dlp ~]#  firewall-cmd --list-all --zone=external external (active) interfaces: eth1 sources: services: ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: # *note : it's not changed permanently with "change-interface" even if added "--permanent" option # if change permanently, use nmcli like follows [root@dlp ~]#  nmcli c mod eth1 connection.zone external  [root@dlp ~]#  firewall-cmd --get-active-zone  external interfaces: eth1 public interfaces: eth0

[3]	Display services defined by default.

[root@dlp ~]#  firewall-cmd --get-services  amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https # definition files are placed like follows # if you'd like to add your original definition, add XML file on there [root@dlp ~]#  ls /usr/lib/firewalld/services  amanda-client.xml ipp-client.xml mysql.xml rpc-bind.xml bacula-client.xml ipp.xml nfs.xml samba-client.xml bacula.xml ipsec.xml ntp.xml samba.xml dhcpv6-client.xml kerberos.xml openvpn.xml smtp.xml dhcpv6.xml kpasswd.xml pmcd.xml ssh.xml dhcp.xml ldaps.xml pmproxy.xml telnet.xml dns.xml ldap.xml pmwebapis.xml tftp-client.xml ftp.xml libvirt-tls.xml pmwebapi.xml tftp.xml high-availability.xml libvirt.xml pop3s.xml transmission-client.xml https.xml mdns.xml postgresql.xml vnc-server.xml http.xml mountd.xml proxy-dhcp.xml wbem-https.xml imaps.xml ms-wbt.xml radius.xml

[4]	Add or Remove allowed services. The change will be back after rebooting the system. If you change settings permanently, add the "--permanent" option.

# for example, add http (the change will be valid at once) [root@dlp ~]#  firewall-cmd --add-service=http  success [root@dlp ~]#  firewall-cmd --list-service  dhcpv6-client http ssh # for example, remove http [root@dlp ~]#  firewall-cmd --remove-service=http  success [root@dlp ~]#  firewall-cmd --list-service  dhcpv6-client ssh # for example, add http permanently. (this permanent case, it's necessary to reload the Firewalld to enable the change) [root@dlp ~]#  firewall-cmd --add-service=http --permanent  success [root@dlp ~]#  firewall-cmd --reload  success [root@dlp ~]#  firewall-cmd --list-service  dhcpv6-client http ssh

[5]	Add or remove allowed ports.

# for example, add TCP 465 [root@dlp ~]#  firewall-cmd --add-port=465/tcp  success [root@dlp ~]#  firewall-cmd --list-port  465/tcp # for example, remove TCP 465 [root@dlp ~]#  firewall-cmd --remove-port=465/tcp  success [root@dlp ~]#  firewall-cmd --list-port    # for example, add TCP 465 permanently [root@dlp ~]#  firewall-cmd --add-port=465/tcp --permanent  success [root@dlp ~]#  firewall-cmd --reload  success [root@dlp ~]#  firewall-cmd --list-port  465/tcp

[6]	Add or remove prohibited ICMP types.

# for example, add echo-request to prohibit it [root@dlp ~]#  firewall-cmd --add-icmp-block=echo-request  success [root@dlp ~]#  firewall-cmd --list-icmp-blocks  echo-request # for example, remove echo-request [root@dlp ~]#  firewall-cmd --remove-icmp-block=echo-request  success [root@dlp ~]#  firewall-cmd --list-icmp-blocks    # display ICMP types [root@dlp ~]#  firewall-cmd --get-icmptypes  destination-unreachable echo-reply echo-request parameter-problem redirect  router-advertisement router-solicitation source-quench time-exceeded